NIST SP 800-213: An Important Cybersecurity Guide for U.S. Government Procurement of IoT Products
Overview
Published by the U.S. National Institute of Standards and Technology (NIST), NIST SP 800-213 provides federal agencies with a structured method for assessing the cybersecurity risks of IoT products. It helps procurement teams determine whether a product has the appropriate security functions and supporting capabilities before it is purchased and deployed.
What Is the Main Purpose of NIST SP 800-213?
Once connected to government information systems, IoT products may interact with internal networks, user data, or other sensitive information. If a product does not include appropriate security measures, it may increase the risk of unauthorized access, data exposure, or cyberattacks.
For this reason, NIST SP 800-213 recommends that government agencies consider more than product functionality, price, and compatibility when procuring IoT products. Agencies should also define cybersecurity requirements based on the product’s intended use, operating environment, and associated risks.
These requirements may include:
- Product and device identification
- User and device access control
- Protection of stored and transmitted data
- Secure configuration management
- Software and firmware update mechanisms
- Monitoring of device security status
- Vulnerability disclosure and remediation processes
- Security documentation and support provided by the manufacturer
In other words, government agencies should first understand the risks associated with a product and then determine which security capabilities are necessary. The guidance does not require every IoT product to follow exactly the same set of requirements.
What Does This Mean for IoT Manufacturers?
Although NIST SP 800-213 is primarily intended for U.S. federal agencies, it may also affect IoT manufacturers and suppliers seeking to enter the U.S. government market.
During government procurement or supplier evaluation, manufacturers may be expected not only to explain the security functions built into their products, but also to provide supporting information such as:
- Product cybersecurity feature descriptions
- Software and firmware update policies
- Vulnerability reporting and handling procedures
- Product security support periods
- Secure configuration and operation guidance
Therefore, having security functions in the product is only part of the requirement. A manufacturer’s ability to provide updates, address vulnerabilities, and clearly document the product’s security mechanisms may also become an important part of the procurement evaluation process.
NIST Is Updating SP 800-213
NIST released the initial public draft of NIST SP 800-213 Revision 1 on June 24, 2026. The revision expands the scope of assessment from an individual IoT device to the broader IoT product.
A complete IoT product may include not only the physical device, but also mobile applications, cloud services, backend platforms, and other supporting components. The draft reflects the need for government agencies to consider the cybersecurity risks associated with these related services and components.
This change indicates that future IoT cybersecurity assessments may focus not only on the device itself, but also on the product’s overall architecture, service environment, and the manufacturer’s security support capabilities.
Preparing IoT Cybersecurity Documentation in Advance
IoT manufacturers planning to enter the U.S. government market or related supply chains may benefit from reviewing their product security functions, update mechanisms, vulnerability management processes, and technical documentation in line with the principles of NIST SP 800-213.
NIST has also published SP 800-213A, IoT Device Cybersecurity Requirement Catalog, which provides a more detailed list of cybersecurity capabilities and supporting requirements. This document is intended to help government agencies develop product-specific requirements based on the approach described in SP 800-213.
The One Lab will continue to monitor the development of NIST SP 800-213 Revision 1, as well as any updates related to SP 800-213A. We will continue to share further information on policy developments, technical requirements, and government procurement expectations as they become available.
References
- NIST SP 800-213 – IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements
https://csrc.nist.gov/pubs/sp/800/213/final - NIST SP 800-213 Revision 1 – IoT Product Cybersecurity Guidelines for the Federal Government: Establishing IoT Product Cybersecurity Requirements
https://csrc.nist.gov/pubs/sp/800/213/r1/ipd - NIST Announcement – Release of the Initial Public Draft of SP 800-213 Revision 1
https://csrc.nist.gov/News/2026/nist-releases-sp-800-213r1-ipd - NIST SP 800-213A – IoT Device Cybersecurity Requirement Catalog
https://csrc.nist.gov/pubs/sp/800/213/a/final
